You can improve the security of your sign in to AWS services, such as Amazon WorkSpaces and Amazon QuickSight, by enabling multi-factor authentication (MFA) when using AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as Microsoft AD. Enabling MFA helps improve the security of your applications because users must enter a one-time passcode (OTP) in addition to their Active Directory (AD) user name and password. AWS Microsoft AD supports both virtual and hardware MFA OTP tokens.

With Microsoft AD, AWS service users can authenticate against your on-premises AD and your existing Remote Authentication Dial-In User Service (RADIUS)–based MFA solution. RADIUS is an industry-standard protocol that authenticates and authorizes network access securely. AWS Microsoft AD enables you to connect to a RADIUS server that you have installed to work with your on-premises AD. Your RADIUS server must support OTP-style MFA or have a plug-in that does so. This makes it easy for your users to log in with their existing on-premises user names and passwords, with the added security of MFA OTP.